How do I join a Linux machine to a Windows Domain?

In this How do I, Jack Wallen shows you how to join your Linux machine to a Windows domain with the help of Likewise-Open.

Most Linux users assume there will never come a time when they will be able to join their machines to a Microsoft Windows domain. It's always been off-limits. You could take your Linux laptop in to work, but you could never work within that domain. That is officially history. With recent updates to many of the systems and sub-systems in Linux comes the ability to now join a Windows domain. It's not terribly challenging, but you will need to edit some configuration files.

In this How do I, I show you how to join your Linux machine to a Windows domain with the help of Likewise-Open.

Download Likewise-Open

Go to the Likewise-Open download page. Make sure you download the file applicable to your distribution. You will also want to download the GUI application (if you prefer a graphical-user interface).

Install Likewise-Open

The downloaded file will be in the form of a precompiled executable binary. You will need to follow the following instructions in order to install it:

1. Open up a terminal window.

2. Change to the directory housing the Likewise-Open download file.

3. Issue the command:

chmod u+x Likewise*

4. Issue the command:

./LikewiseIdentityServiceOpen-XXX-linux-YYY-ZZZ-installer

Where XXX is the release number, YYY is your machine architecture, and ZZZ is the type of file you downloaded.

NOTE: You have to have root privileges to execute this command. To do this, you will either su to the root user or use sudo.

ALSO NOTE: If you plan on using the GUI, issue the command:

./LikewiseDomainJoinGui-XXX-linux-YYY-ZZZ-installer

Where XXX is the release number, YYY is your machine architecture, and ZZZ is the type of file you downloaded. NOTE: You have to have root privileges to execute this command. To do this, you will either su to the root user or use sudo.

5. Walk through the simple GUI installer.

You will also need to make sure winbind is installed on your machine. If it is not, install it with either your Add/Remove Software tool or a command similar to sudo apt-get install winbind.

Configure /etc/hosts

You need to add your domain controller into your /etc/hosts file. This entry will need to be in the form of:

IP_ADDRESS FDQN

Where IP_ADDRESS is the actual IP address of your domain controller and the FDQN is the fully qualified domain name of your domain controller.

Configure KRB5

This is where it gets tricky. You have to configure KRB5 and add the correct realm information to the configuration file. A realm entry will look like this:

DOMAIN.INTERNAL = {

kdc = domainserver.domain.internal

admin_server = domainserver.domain.internal

default_domain = DOMAIN.INTERNAL

}

NOTE: You will need to add the address of your domain controller in the section above.

ALSO NOTE: Capitalization is critical for this to work, so make sure you follow the above example correctly.

After you have that section entered, there are a couple more pieces to work on. The first piece is a small section above the [realms] directive. If your krb5.conf file doesn't have a [libdefaults] section, add it like this:

[libdefaults]

default_realm = DOMAIN.INTERNAL

The final section you need to work on will be in the [domain_realm] directive. Make sure you add the following:

.domain.internal = DOMAIN.INTERNAL

domain.internal = DOMAIN.INTERNAL

That's it for the KRB5 configuration.

Configure nsswitch

Open up the file /etc/nsswitch and make sure you see the following lines:

passwd: compat lsass

group: compat lsass

What you might see is the above lines without the lsass entry. If that's the case, simply add the lsass to each line.

Joining the domain

Before you start up the Likewise-Open GUI to join the domain, let's make sure you install a certificate on your host. To do this, issue the command:

kinit ADMIN_ACCOUNT@DOMAIN.INTERNAL

Where ADMIN_ACCOUNT is an account on the domain controller with admin rights and DOMAIN.INTERNAL is the domain you want to join. You will have to enter that admin account password before this will work. You can make sure that certificate was installed by issuing the command klist.

Finally you can issue the command sudo domainjoin-gui, which will start up the GUI tool to join the domain.

Once you have entered the credentials, click the Join Domain button and Likewise-Open will do its thing. Upon successfully joining the domain, you will need to log out and log back in. Remember, your domain username will be in the form of DOMAIN\username. And also remember, the username is the domain username, not the local username.

Final thoughts

That's it. Linux has come a long way, and the ability to join a Windows domain speaks volumes for its maturity. And although this might seem like a chore, having to join a Linux machine with the help of Samba is by far more challenging.

Stay on top of the latest Microsoft Windows tips and tricks with TechRepublic's Windows Desktop newsletter, delivered every Monday and Thursday. Automatically sign up today!

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

Full Bio

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

I'm interested in the opposite of this - how to join a Windows machine to a Linux box running LDAP & Kerberos. This used to work using ksetup on Windows XP, but it doesn't work with Windows 7 or 2008 server.

Ok, this is good if you're looking to join one machine but will get complicated if you're looking to join a group of machines. If authentication is the primary need, here's a free tool (shameless plug) for Centrify Express which comes with a mgmt gui that detects and allows you to deploy the necessary bits to join Linux and Mac systems to AD...makes life a lot easier.
http://www.centrify.com/express/free-active-directory-tools-for-linux-mac.asp

Unless there is something special about this that I am not aware of, I don't see how this is anything new. Linux machines have been able to participate in Windows domains for a very, very long time now. In fact, you mention at the end that it can be done with Samba. I've seen it be very, very easy for a long time. Many Linux based NAS devices have been doing it forever, with a simple config tool.
Besides, joining the domain isn't the trick. The trick is truly participating in it, like using the domain to get printer information, or using domain security objects for local authentication (for example, tying the local admin group to the domain admin group).
J.Ja

> That?s it. Linux has come a long way and the ability
> to join a Windows domain speaks volumes for its maturity.
What a crock. Linux has always been able to join an LDAP domain, which MS used as a part of its 'embrace, extend, extinguish' methodology of taking good ideas (LDAP) and adding complexity. I don't think this article has anything to do with Linux's maturity, it just shows that using MS products requires admins to jump through hoops to get non-MS products to function when on a Microsoft-based (not standards-based) network.

The domain primarily provides configuration policy though obviously it provides authentication. *nix isn't going to recognize Windows policy rules and Windows isn't going to provide any *nix policy rules. Only benefit I've found is authentication when accessing CIFS shares though I do need to play more and get my workstation pulling login authentication from the domain also.

Jack's article is technically useful, but mostly just further evidence of why Linux has such minuscule mind and market share. Heck, it's enough to scare away all but the most fervent believers.
We'll know there has been real progress when a follow-up article reads something like this.
1. Download and install Win-AD module.
2. Click Join Domain button.
3. Follow the prompts.

Likewise is available in the Ubuntu repos now, and I believe is pre-installed in the Ubuntu server version, though I can't remember for sure.
Competing products include Quest's Quest Authentication Services, and Centrify's Identity Mgmt suite.
They all let you do far more than just login -- you can use AD groups to control access, you can manage/limit sudo privileges, Quest supports an Apache module that lets you do Integrated Windows Authentication against your Apache servers running on Linux (more smoothly than trying to use the Samba winbind modules), you can manage assets, in certain limited ways, you can apply GPO settings.
While I'm not particularly an AD fan, for an organization that has a real investment in AD, it's actually very helpful. What will be interesting is to see if people can use these solutions with Samba4 running as your AD server <head explodes>.

That's exactly it... the *only* reason to join a non-Windows machine to an Active Directory domain is for file share security (in which case I'll do it in Samba). Until someone adds some sort of weird overlay to Linux (or BSD or OSX or whatever) that allows it to fully work with AD (printers, group policies, etc. etc. etc.) then I really don't see much point.
J.Ja

I have been looking for it a long time and have not found it. If you are referring to CentOS, then yes; otherwise I would love it if you could provide a link. When I checked, you could get a 90 day evaluation copy. You must have a subscription to get the full extended version.
Also there are a couple of products that seem to be able apply MS GPO's *nix machines. Centrify is one (http://www.centrify.com/directcontrol/grouppolicy.asp)There is another one that appears to be good but I cannot remember the name right now.

Open Source and most licenses have no rule against paying for software. It's perfectly acceptable to sell a "value add" version that builds on a no-cost base product. Running closed sorce or retail products on top of the open source base is also acceptable in most licenses.
Consider Mandriva Free and One distribution flavors available at no cost with PowerPack sold at a reasonable cost and including proprietary or patent licensed additions (media codecs, flash, some retail software like LinDVD).
Red Hat is another example, you can go download installs for Red Hat Enterprise but you'll need to purchase a service contract to recieve ongoing support and updates.
Novell; OpenSUSE is free to download while SUSE Linux Enterprise Edition is a retail product.
In terms of transparency because distributions are open source, Microsoft isn't including policy templates for *nix based distributions so source visibility doesn't help there. I'm not sure if any third parties are doing so or if the non-Microsoft folks simply focus on the non-Microsoft LDAP solutions (Active Directory being nothing more than LDAP embraced and extended)

Sometimes, in the enterprise, we must run apps that require a Linux platform.
However our user base only cares about one user name and one password.
It minimizes complexity to allow the Linux host to manage authentication just like a Windows system. That way, we can add Julie to the app users group and she can immediately login.
That is worth a lot.

I had a friend installing the latest OpenSUSE so I took an image of the disk and tossed it into a VM. I'd have to do my custom minimalinstall+stuff to see how bloaty the package dependencies where but the default install looks pretty good and YAST has a crapload of stuff for managing the config. At some point, I'm going to add it into the domain for further testing. Novell's goal was a platform that plugged into an existing Windows network so I'm optimistic.

I remember Jaqui recommending Suse for Active Directory compatibility back in 2008 or so. I haven't tested it, but it sounds like that feature alone might make it the distro of choice for integrating with AD.